Analysis Date2015-10-11 17:00:27
MD52c172bc9d6ecaf0933a5449595d0eaf9
SHA1b12b9612b14cea7c73728da47441584ca3bc50ce

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 34704244d9801f79c2ecc46e795d670d sha1: cc293483f9a1e2d9ae483c6b746509e2da317fa6 size: 803328
Section.rdata md5: 297db72c3c2ba9879c1a87589ce26ab4 sha1: de0e4f237dceba72a99beee50204fea107448878 size: 329216
Section.data md5: 989ffaf15813f0b452009d18b76050b5 sha1: 6e37b9c7143504ff18ad4076a3c60096a2e8630b size: 8192
Section.reloc md5: 25a031915037e38b5a5e394fc45406d7 sha1: 6abb3680cb74165e4a1c95203fa6646e418cb27b size: 59392
Timestamp2015-02-06 21:03:35
PackerMicrosoft Visual C++ ?.?
PEhashfcf59429d46eab3beed4150db4c9aa34e98668d2
IMPhash23a3148bc08ff289738f5a8fc4c5cc4a
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Kazy.553443
AVDr. Webno_virus
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Kazy.553443
AVBullGuardGen:Variant.Kazy.553443
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)no_virus
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Generic
AVZillya!no_virus
AVEmsisoftGen:Variant.Kazy.553443
AVIkarusTrojan.Win32.Crypt
AVFrisk (f-prot)no_virus
AVAuthentiumW32/SoxGrave.A.gen!Eldorado
AVMalwareBytesno_virus
AVMicroWorld (escan)Gen:Variant.Kazy.553443
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!rfn
AVK7Trojan ( 004c77f41 )
AVBitDefenderGen:Variant.Kazy.553443
AVFortinetW32/Kryptik.DDQD!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Kryptik.CXVL
AVAlwil (avast)Dropper-gen [Drp]
AVAd-AwareGen:Variant.Kazy.553443
AVRisingno_virus
AVTwisterno_virus
AVAvira (antivir)TR/Agent.1201152.10
AVMcafeeTrojan-FGIJ!2C172BC9D6EC

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\kmgodmnl50gulv2ssp7ax.exe
Creates FileC:\WINDOWS\system32\kysrkekwz\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\kmgodmnl50gulv2ssp7ax.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\kmgodmnl50gulv2ssp7ax.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Secure Grouping Framework IKE DCOM ➝
C:\WINDOWS\system32\ipbhfhu.exe
Creates FileC:\WINDOWS\system32\kysrkekwz\lck
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\ipbhfhu.exe
Creates FileC:\WINDOWS\system32\kysrkekwz\etc
Creates FileC:\WINDOWS\system32\kysrkekwz\tst
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\ipbhfhu.exe
Creates ServiceTopology Publication Backup Copy Image - C:\WINDOWS\system32\ipbhfhu.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\Prefetch\RUNDLL32.EXE-1BC69D2D.pf
Creates FileC:\WINDOWS\Prefetch\HCKPJWMHAKW.EXE-071894FD.pf
Creates FileC:\WINDOWS\Prefetch\IPBHFHU.EXE-3A9745BE.pf
Creates FileC:\WINDOWS\Prefetch\KMGODMNL50GULV2SSP7AX.EXE-15896EDD.pf
Creates FileC:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf
Creates FileC:\WINDOWS\Prefetch\monitor.exe-1949D260.pf
Creates FileC:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf
Creates FileC:\WINDOWS\Prefetch\READER_SL.EXE-3614FA6E.pf
Creates FileC:\WINDOWS\Prefetch\KMGODMNUSOGULV2.EXE-2B65D5B5.pf
Creates FileC:\WINDOWS\Prefetch\B12B9612B14CEA7C73728DA474415-018A653A.pf
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates FileC:\WINDOWS\Prefetch\svchost.EXE-0C867EC1.pf

Process
↳ Pid 1204

Process
↳ Pid 1320

Process
↳ Pid 1864

Process
↳ Pid 532

Process
↳ C:\WINDOWS\system32\ipbhfhu.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\hckpjwmhakw.exe
Creates FileC:\WINDOWS\system32\kysrkekwz\run
Creates FileC:\WINDOWS\TEMP\kmgodmnusogulv2.exe
Creates FileC:\WINDOWS\system32\kysrkekwz\cfg
Creates FileC:\WINDOWS\system32\kysrkekwz\lck
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\kysrkekwz\rng
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\kysrkekwz\tst
Deletes FileC:\WINDOWS\TEMP\kmgodmnusogulv2.exe
Creates ProcessWATCHDOGPROC "c:\windows\system32\ipbhfhu.exe"
Creates ProcessC:\WINDOWS\TEMP\kmgodmnusogulv2.exe -r 33697 tcp

Process
↳ C:\WINDOWS\system32\ipbhfhu.exe

Creates FileC:\WINDOWS\system32\kysrkekwz\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\ipbhfhu.exe"

Creates FileC:\WINDOWS\system32\kysrkekwz\tst

Process
↳ C:\WINDOWS\TEMP\kmgodmnusogulv2.exe -r 33697 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSqueentell.net
Type: A
208.91.197.241
DNSwednesdayhalf.net
Type: A
208.91.197.241
DNSmouthrest.net
Type: A
208.91.197.241
DNSdrivethirteen.net
Type: A
208.91.197.241
DNSfaceboat.net
Type: A
208.91.197.241
DNSmuchhappy.net
Type: A
208.91.197.241
DNScallmile.net
Type: A
208.91.197.241
DNSvisitlive.net
Type: A
84.16.92.233
DNSwatchmine.net
Type: A
74.86.188.172
DNSfairserve.net
Type: A
184.95.49.118
DNSdreamhello.net
Type: A
195.22.26.248
DNSdreammine.net
Type: A
195.22.26.248
DNSdreamlive.net
Type: A
208.48.81.134
DNSdreamlive.net
Type: A
64.15.205.100
DNSdreamlive.net
Type: A
64.15.205.101
DNSdreamlive.net
Type: A
208.48.81.133
DNSthislive.net
Type: A
208.100.26.234
DNSdreamserve.net
Type: A
46.30.212.89
DNSsouthhouse.net
Type: A
116.126.87.124
DNSarivegift.net
Type: A
195.22.26.252
DNSarivegift.net
Type: A
195.22.26.253
DNSarivegift.net
Type: A
195.22.26.254
DNSarivegift.net
Type: A
195.22.26.231
DNSspothouse.net
Type: A
81.169.145.88
DNSsalthouse.net
Type: A
208.73.211.192
DNSsalthouse.net
Type: A
208.73.211.195
DNSsalthouse.net
Type: A
208.73.211.179
DNSsalthouse.net
Type: A
208.73.211.183
DNSgroupgift.net
Type: A
162.243.147.202
DNSequalpeace.net
Type: A
184.168.221.55
DNSgrouppeace.net
Type: A
50.63.202.60
DNSspokehouse.net
Type: A
202.124.241.178
DNSwatchhouse.net
Type: A
78.137.164.56
DNSfairhouse.net
Type: A
192.214.104.78
DNSwatchgift.net
Type: A
184.168.221.16
DNSdreamhouse.net
Type: A
69.172.201.208
DNSthishouse.net
Type: A
207.148.248.143
DNSdreamgift.net
Type: A
98.126.32.242
DNSableread.net
Type: A
DNSsoilunder.net
Type: A
DNSfearstate.net
Type: A
DNSvisithello.net
Type: A
DNSspokemine.net
Type: A
DNSvisitmine.net
Type: A
DNSspokelive.net
Type: A
DNSspokeserve.net
Type: A
DNSvisitserve.net
Type: A
DNSwatchhello.net
Type: A
DNSfairhello.net
Type: A
DNSfairmine.net
Type: A
DNSwatchlive.net
Type: A
DNSfairlive.net
Type: A
DNSwatchserve.net
Type: A
DNSthishello.net
Type: A
DNSthismine.net
Type: A
DNSthisserve.net
Type: A
DNSarivehouse.net
Type: A
DNSsouthgift.net
Type: A
DNSarivetuesday.net
Type: A
DNSsouthtuesday.net
Type: A
DNSarivepeace.net
Type: A
DNSsouthpeace.net
Type: A
DNSuponhouse.net
Type: A
DNSwhichhouse.net
Type: A
DNSupongift.net
Type: A
DNSwhichgift.net
Type: A
DNSupontuesday.net
Type: A
DNSwhichtuesday.net
Type: A
DNSuponpeace.net
Type: A
DNSwhichpeace.net
Type: A
DNSspotgift.net
Type: A
DNSsaltgift.net
Type: A
DNSspottuesday.net
Type: A
DNSsalttuesday.net
Type: A
DNSspotpeace.net
Type: A
DNSsaltpeace.net
Type: A
DNSgladhouse.net
Type: A
DNStakenhouse.net
Type: A
DNSgladgift.net
Type: A
DNStakengift.net
Type: A
DNSgladtuesday.net
Type: A
DNStakentuesday.net
Type: A
DNSgladpeace.net
Type: A
DNStakenpeace.net
Type: A
DNSequalhouse.net
Type: A
DNSgrouphouse.net
Type: A
DNSequalgift.net
Type: A
DNSequaltuesday.net
Type: A
DNSgrouptuesday.net
Type: A
DNSvisithouse.net
Type: A
DNSspokegift.net
Type: A
DNSvisitgift.net
Type: A
DNSspoketuesday.net
Type: A
DNSvisittuesday.net
Type: A
DNSspokepeace.net
Type: A
DNSvisitpeace.net
Type: A
DNSfairgift.net
Type: A
DNSwatchtuesday.net
Type: A
DNSfairtuesday.net
Type: A
DNSwatchpeace.net
Type: A
DNSfairpeace.net
Type: A
DNSthisgift.net
Type: A
DNSdreamtuesday.net
Type: A
DNSthistuesday.net
Type: A
HTTP GEThttp://queentell.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr
User-Agent:
HTTP GEThttp://wednesdayhalf.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr
User-Agent:
HTTP GEThttp://mouthrest.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr
User-Agent:
HTTP GEThttp://drivethirteen.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr
User-Agent:
HTTP GEThttp://faceboat.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr
User-Agent:
HTTP GEThttp://muchhappy.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr
User-Agent:
HTTP GEThttp://callmile.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr
User-Agent:
HTTP GEThttp://visitlive.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr
User-Agent:
HTTP GEThttp://watchmine.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr
User-Agent:
HTTP GEThttp://fairserve.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr
User-Agent:
HTTP GEThttp://dreamhello.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr
User-Agent:
HTTP GEThttp://dreammine.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr
User-Agent:
HTTP GEThttp://dreamlive.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr
User-Agent:
HTTP GEThttp://thislive.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr
User-Agent:
HTTP GEThttp://dreamserve.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr
User-Agent:
HTTP GEThttp://southhouse.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr
User-Agent:
HTTP GEThttp://arivegift.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr
User-Agent:
HTTP GEThttp://spothouse.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr
User-Agent:
HTTP GEThttp://salthouse.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr
User-Agent:
HTTP GEThttp://groupgift.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr
User-Agent:
HTTP GEThttp://equalpeace.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr
User-Agent:
HTTP GEThttp://grouppeace.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr
User-Agent:
HTTP GEThttp://spokehouse.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr
User-Agent:
HTTP GEThttp://watchhouse.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr
User-Agent:
HTTP GEThttp://fairhouse.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr
User-Agent:
HTTP GEThttp://watchgift.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr
User-Agent:
HTTP GEThttp://dreamhouse.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr
User-Agent:
HTTP GEThttp://thishouse.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr
User-Agent:
HTTP GEThttp://dreamgift.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr
User-Agent:
HTTP GEThttp://queentell.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr
User-Agent:
HTTP GEThttp://wednesdayhalf.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr
User-Agent:
HTTP GEThttp://mouthrest.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr
User-Agent:
HTTP GEThttp://drivethirteen.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr
User-Agent:
HTTP GEThttp://faceboat.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr
User-Agent:
HTTP GEThttp://muchhappy.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr
User-Agent:
Flows TCP192.168.1.1:1037 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1040 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1041 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1042 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1043 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1044 ➝ 84.16.92.233:80
Flows TCP192.168.1.1:1045 ➝ 74.86.188.172:80
Flows TCP192.168.1.1:1046 ➝ 184.95.49.118:80
Flows TCP192.168.1.1:1047 ➝ 195.22.26.248:80
Flows TCP192.168.1.1:1048 ➝ 195.22.26.248:80
Flows TCP192.168.1.1:1049 ➝ 208.48.81.134:80
Flows TCP192.168.1.1:1050 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1051 ➝ 46.30.212.89:80
Flows TCP192.168.1.1:1052 ➝ 116.126.87.124:80
Flows TCP192.168.1.1:1053 ➝ 195.22.26.252:80
Flows TCP192.168.1.1:1054 ➝ 81.169.145.88:80
Flows TCP192.168.1.1:1055 ➝ 208.73.211.192:80
Flows TCP192.168.1.1:1056 ➝ 162.243.147.202:80
Flows TCP192.168.1.1:1057 ➝ 184.168.221.55:80
Flows TCP192.168.1.1:1058 ➝ 50.63.202.60:80
Flows TCP192.168.1.1:1059 ➝ 202.124.241.178:80
Flows TCP192.168.1.1:1060 ➝ 78.137.164.56:80
Flows TCP192.168.1.1:1061 ➝ 192.214.104.78:80
Flows TCP192.168.1.1:1062 ➝ 184.168.221.16:80
Flows TCP192.168.1.1:1063 ➝ 69.172.201.208:80
Flows TCP192.168.1.1:1064 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1065 ➝ 98.126.32.242:80
Flows TCP192.168.1.1:1066 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1067 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1068 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1069 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1070 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1071 ➝ 208.91.197.241:80

Raw Pcap

Strings